473,842 Members | 1,926 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

tough choices

Hello:
We are designing two multi-user client server applications that
performs large number of transactions on database servers. On an
average Application A has a 50% mix of select and update/insert/delete
statements and application B has 80-20 mix of select and
update/insert/delete statements. Being able to scale the databases as
needed so the performance is unaffected, is one of our critical
requirements. We've been investigating Oracle 10g RAC and DB2 ESE as
alternatives and in both cases unfortunately, we get a lot more
marketing spin than real answers. I've looked through some of the
newsgroup postings on oracle and ibm's websites and most of the
discussions seem to be about high availability(an d technology
evangelism). The information we've gathered so far seems to point to:

1. The critical factor (and possibly the bottleneck) for Oracle's RAC
performance is the network and the storage access speed- if the
network does not have ample unused bandwidth or the rate at which
storage can be accessed by various nodes has reached the point of
diminishing returns - we won't get any additional performance by
simply increasing the number of nodes. Also, the application that
performs more writes will hugely increase the network traffic because
of synchronization requirements.

2. DB2 can deliver better performance but only if the data that is
accessed together is physically laid out together and the application
has knowledge of the physical data layout (so it can connect to the
right node in the cluster ). However, if, we separate the application
logic from physical layout of the data the performance will be
unpredictable.

All this is just hypotheses - if anyone has some real world experience
with these two offerings and can offer an objective opinion - we'd
really appreciate it.
Nov 12 '05
198 11597
Question though. How many customers in reality have security
requirements that are this granular and that need to be met based on
only an IP address coming in?

Larry Edelstein

Howard J. Rogers wrote:
"Tony" <an******@onete l.net.uk> wrote in message
news:c0******** *************** ***@posting.goo gle.com...
"Howard J. Rogers" <hj*@dizwell.co m> wrote in message


news:<40******* *************** *@news.optusnet .com.au>...
"Serge Rielau" <sr*****@ca.e ye-be-em.com> wrote in message
news:cb***** *****@hanover.t orolab.ibm.com. ..

>* Security Policies (policies attached to tables and views that
>determin e what rows can be accessed based on information known about
the
user)

Can be handled with views. Let the DBMS do what the DBMS does best.

Mark can answer for himself, but no this sort of thing can't reasonably
be
handled with views. I have a sales table. I want customers to access
it...
but they must only see their own rows. If all I've got are views, I've
got
to create a different view for each user. And change my application so
it
references the right view at the right time as new views are added
because
new customers are acquired. Views just won't cut it.


I wouldn't dispute that FGAC is a better way to achieve this, but it
isn't true that if you used views you would need a view per user.
Long ago in Oracle 7 I worked on a project that implemented access
control via views that looked something like:

create view emp_view as
select * from emp
where deptno in
( select deptno
from users
where username = USER
);

Only one view was required per table. Of course, the predicate was
actually rather more complex than that, but you should get the idea.


Right. Now, what about If the user is this sort of customer, he's allowed to
look at those sorts of rows and columns, but if he's this other type of
customer, he can see a different selection of rows and columns. And I want
to test for his IP address as well as his username. And 12 other conditions
as well. And I have other users of the table who aren't customers, but who
access the same table, and should have a completely different sort of where
clause applied. And I'm not entirely sure what the future may bring, but I
suspect there will be even more, distinct, 'consumer groups' for this table
in the future....

Do-able in one view? Maybe. I wouldn't like to see the code at the end of it
though, and you'd better not get run over by a bus, since you're the only
one that really understands it. I certainly think as the complexity
increases, the single view ceases to be a viable option.

Then there's the point I missed by I see others have made: If I can hack
into your box, I can see all the rows of the table. If you can hack into
mine, the FGAC policies still apply, and you can't see any more than you
could by using the front-end application.

Regards
HJR


Nov 12 '05 #181

"Larry" <La***@nospam.n et> wrote in message
news:cb******** **@news.btv.ibm .com...
Question though. How many customers in reality have security
requirements that are this granular and that need to be met based on
only an IP address coming in?


Well, on IP address only? Very few, I would have thought. But how many sites
use this sort of granularity, based on a variety of tests and conditions? A
lot.

Regards
HJR
Nov 12 '05 #182
"Howard J. Rogers" <hj*@dizwell.co m> wrote in message news:<40******* *************** *@news.optusnet .com.au>...
I've only put my post in at this point for want of somewhere else to do it.
It's not a reply to anyone, actually.

This has all been most fascinating, and probably could continue to be. And
it occurs to me that there is probably a use for a full-blown newsgroup to
cover the intersect between the two products. It must surely be quite common
to have to do both DB2 *and* Oracle work, and a newsgroup that compares one
with another, or explains one in the terms of the other, might not be a bad
idea. If only I knew how to go about doing such a thing, I might perhaps do
it. Maybe someone else will think it a good idea and run with it?
The hard way:

http://www.faqs.org/faqs/usenet/creating-newsgroups/

The easy way:

http://www.nylon.net/alt/newgroup.htm

How about alt.comp.databa ses.compare? There have been many comparison
threads going back years. Or maybe alt.comp.databa ses.heterogenou s?
(with bets on how long until someone created acd.gay :) Or maybe both
acdc (ohhh... sorry :) for serious discussions and
acd.mine-is-better...

But, aside from that, I'd venture to suggest that the thread itself is
pretty much off-topic for at least the Oracle group, whose charter I have at
least read. Particularly since it regularly threatens to degenerate into a
product-bashing competition, and not a vehicle for mutual enlightenment.
I don't entirely agree, obviously the genital-wart-size posts are OT,
but there is a lot of interesting stuff wrt partitioning, etc. Maybe
shoulda been cdo.misc, but what do you expect from crossposting?

Do you think we might begin to draw it to a close, please?

Just a thought.

Regards
HJR

jg
--
@home.com is bogus.
"I've got two turntables and a microphone." - Beck
Nov 12 '05 #183
Serge Rielau wrote:
IMHO a lot of the finegrained access control part tastes like syntacic
sugar.
Cheers
Serge


Not at all. One of the core technologies in Oracle that is being
leveraged here is query rewrite.

The database engine rewrites queries to enforce security rules.
We not only see this in FGAC security we see this in the substitution
of materialized views for tables when their use will be more efficient.

And now, carried to the logical extreme, we see it with the ADDM, in
10g, the ability to replace Siebel, SAP, and PeopleSoft junk SQL
statements with far more efficient SQL without having any access to
their source code.

--
Daniel Morgan
http://www.outreach.washington.edu/e...ad/oad_crs.asp
http://www.outreach.washington.edu/e...oa/aoa_crs.asp
da******@x.wash ington.edu
(replace 'x' with a 'u' to reply)

Nov 12 '05 #184
Larry wrote:
Question though. How many customers in reality have security
requirements that are this granular and that need to be met based on
only an IP address coming in?


At that level of granularity, just a few. And in fact, some of them
don't even exist :-)

"As I was going down the stair, I saw a man who wasn't there. He wasn't
there again today; He must be from the ..."

However, many companies have policies over what data can and cannot be
accessed when on a wireless network or internet via dial up or VPN (as
opposed to the intranet). I know Oracle does for some of the more
significant IP.

Nov 12 '05 #185
.... WHERE has_privileges( ) = 1

has_privileges( ) can be a UDF which dows whatever you please.
Looking at any credentials the DBMS provides.
In DB2 that may be application ID which contains the IP.
Of course has_privileges( ) can be modified without ever changing the
view....
It seems functionaly the limit is what credentials one can get his/her
hands on rather than which languae is used to implement the entry-point.

Cheers
Serge

--
Serge Rielau
DB2 SQL Compiler Development
IBM Toronto Lab
Nov 12 '05 #186
"Howard J. Rogers" <hj*@dizwell.co m> wrote in message news:<40******* *************** *@news.optusnet .com.au>...
Right. Now, what about If the user is this sort of customer, he's allowed to
look at those sorts of rows and columns, but if he's this other type of
customer, he can see a different selection of rows and columns. And I want
to test for his IP address as well as his username. And 12 other conditions
as well. And I have other users of the table who aren't customers, but who
access the same table, and should have a completely different sort of where
clause applied. And I'm not entirely sure what the future may bring, but I
suspect there will be even more, distinct, 'consumer groups' for this table
in the future....
But how do you manage these security policies? By manage - I mean,
how do you prove that they work correctly, that you haven't left any
gaps, that the implemenation matches the requirements, etc, etc?

I've got an application that has implemented some very complex
security policies like this in the application layer and it is a
maintenance nightmare. They choose to do this in the application
layer for a variety of reasons - including database portability (they
support oracle, db2, sql server is coming). Anyhow, in my
circumstance the vendor hasn't provided the maintenance tools to
really manage this complexity. Being completely pragmatic here - does
Oracle have a good grasp on this today? Can you easily determine in a
proactive fashion:
- all the users & ip ranges that any given row can be accessed by?
- all the rows & columns that a given user can access?
If not, are there tools coming out to help with this?
Then there's the point I missed by I see others have made: If I can hack
into your box, I can see all the rows of the table. If you can hack into
mine, the FGAC policies still apply, and you can't see any more than you
could by using the front-end application.


Well, only if you hack into the database with the right id. I haven't
seen that happen personally, but yeah - it could happen. Tools like
crystal reports aren't a hack of course, that's a deliberate part of
the architecture. Of course, that brings up the other potential
challenge with policies like these - can they be implemented as easily
on the BI (data warehousing, data mart, olap) side as they are on the
OLTP side? Or is the best practice implementation for those very high
security apps that don't ever allow the data out of a single
centralized repository?

buck
Nov 12 '05 #187
Mark,

Thank you for being honest in your answer.

One of the reasons that I asked is because frankly, I really didn't know
the answer (I only have a base of experience with a very specific set of
customers ... although over about 13 years now).

The other is that earlier in this thread, a claim was made that DB2
relied on Tivoli to provide "even the most basic security". Now ... I
know we've beaten it to death already ... and I don't want to continue
to do so. But ... as so frequently happens in the IT world, this boils
down to semantics. I propose that DB2 UDB (without Tivoli) does have
much in the way of "basic" rdbms security authorization and
authentication support. It may be a different implementation than
Oracle. But it's there. And I also submit that "basic" covers the
security needs of the vast majority of users and companies (if not more
than that). I also know that when a requirement is brought forward to
IBM, and it is a frequently requested requirement ... it will likely
find its way into the product ... sooner rather than later if the market
deems it important enough (as I'm sure is the case with Oracle also).

Larry Edelstein

Mark Townsend wrote:
Larry wrote:
Question though. How many customers in reality have security
requirements that are this granular and that need to be met based on
only an IP address coming in?


At that level of granularity, just a few. And in fact, some of them
don't even exist :-)

"As I was going down the stair, I saw a man who wasn't there. He wasn't
there again today; He must be from the ..."

However, many companies have policies over what data can and cannot be
accessed when on a wireless network or internet via dial up or VPN (as
opposed to the intranet). I know Oracle does for some of the more
significant IP.


Nov 12 '05 #188
Pierre Saint-Jacques apparently said,on my timestamp of 26/06/2004 7:43 AM:


HTH, Pierre.


It certainly did. Thanks a lot.

--
Cheers
Nuno Souto
wi*******@yahoo .com.au.nospam
Nov 12 '05 #189
Larry apparently said,on my timestamp of 26/06/2004 7:59 AM:
Question though. How many customers in reality have security
requirements that are this granular and that need to be met based on
only an IP address coming in?


IME, a few. In the military arena it's obvious: all of them, so far.
In banks I've seen this implemented as well.
I'd say in general where there may be a risk for the customer if
anyone can look at all available data in a table.
--
Cheers
Nuno Souto
wi*******@yahoo .com.au.nospam
Nov 12 '05 #190

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
3004
by: Mica Cooper | last post by:
Hi, I have a series of Select menus on a page. I am trying to allow the user to click on the Select title and have it popup a help window. This works fine with the following code except that all the Select choices are lost. <A HREF="javascript:location='menu.jsp';window.open('menuhelp.jsp?menuID=5','me nuhelp',)">MenuTitle</A> I saw an example of a popup on a website that did not lose the menu choices.
4
1323
by: frank | last post by:
Hi there. Before anyone gripes about cross posting, Ill say upfront that I just posted this message to am SQL server newsgroup because I want feedback from database developers as well as asp coders... I want to create a web based software rating database. I have a number of objectives that I would need to achieve to make this a useable tool and some are not easy figure out considering my begginning level of db and asp knowledge. I am...
6
1737
by: apngss | last post by:
When an application needs to get information from another machine over the network, how many distributed computing choices out there? Here are the choices I know of, classifying by different programming languages HTTP (any??) RPC (C, C++) ..NET (Microsoft)
6
1536
by: Kennedy_f | last post by:
I did better in terms of score on this one than 291, but I found it much harder. Wordings of questions are difficult like the rest, but the DNS and CA scenarios were very tough to figure out. Take your time on the questions. I used uecrtify exam simulation. Make sure you know exactly what they are asking for and think it through. You will not pass unless you have experience with the product and have done a lot of prep work. Read the...
9
1690
by: Rhino | last post by:
How hard (and desireable) would it be to give the user certain choices when it comes to printing web pages? The pages on my site use colours and pictures and contain an imbedded menu, among other things. Now, I could make certain assumptions on the user's behalf, such as making the background white and the text black, suppressing the menu from the printed page, and even suppressing the printing of the pictures if they are merely...
2
1578
by: Tedros.G | last post by:
Okay this is a slightly tricky one for us newbies, butI'm guessing it'll be breeze for ou experts! Problem: You recieve a xml message which conforms to a common schema. Everything is great and your clients (who send you their data based on this agreed schema), do everything works as agreed and planned. Over the next few months a few clients suddenly decide to add extra nodes, therby breaking the schema validation. Then another client...
4
1915
by: wideasleep | last post by:
Hello everyone, I am looking for a way to remove choices from cascading combo boxes as each selection is made. Here's how this is laid out. The initial combo box is STAGE and it will have choices STAGE1, STAGE2, STAGE3 and that will cascade to the CODE combo box. The CODE selections will also have lb. amounts for each code item. For example purposes here's the layout for the STAGE choices in the CODE combo box and use your imagination...
5
2048
by: vajra1987 | last post by:
Hello everybody I am working on a Website built on JSP and Servlets . one of the features of the site is to give user the chance to subscribe to different newsletters under different categories. So for example, user1 surfs to the page which displays category sport and under that some options (check boxes) and he can choose zero or more, and he clicks to add the next catetory options , for example entertainement. I am new at Java and...
1
1527
by: jej1216 | last post by:
Background: I have an PHP form that inserts data into a MySQL DB, and it works. Severity of Incident: <select name="severity" size="1"> <option value="">Select a Severity Option</option> <option value="Level1 - No Obvious Harm">Level 1 - No Obvious Harm</option> <option value="Level2 - Non-permanent Harm">Level 2 - Non-permanent Harm</option> <option value="Level3 - Semi-permanent Harm">Level 3 - Semi-permanent Harm</option> <option...
0
9870
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, weíll explore What is ONU, What Is Router, ONU & Routerís main usage, and What is the difference between ONU and Router. Letís take a closer look ! Part I. Meaning of...
0
9715
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10940
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
1
10670
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10308
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7030
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
1
4499
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4087
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3141
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.